Data Protection Officers should be heart of innovation
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
In a quiet but consequential meeting with representatives from the Information Commissioner’s Office (ICO) this week, a simple idea was put forward with immense weight: Data Protection Officers (DPOs) must not sit on the sidelines of innovation. Instead, they should be part of the process, giving early input, shaping implementation, and anchoring compliance from the start. Not just because it ticks a legal box — but because it strengthens trust and drives smarter outcomes.
Too often, DPOs are brought in too late. A product is ready for release. A customer platform is halfway built. An AI-driven solution is weeks from deployment. And only then does someone raise a hand to say, “Have we spoken to the data team?” By that stage, any changes are costly, disruptive, and invariably met with resistance. The opportunity to build privacy in — naturally, seamlessly — has been lost.
The ICO, to its credit, recognises this. Their project sandboxes are an excellent example of proactive regulation. By inviting organisations to test new initiatives under regulatory supervision, they’re giving room for innovation to breathe and for safeguards to be put in place. But more than that, they’re showing that privacy professionals are not obstacles. We’re architects.
This approach needs to be normalised — not only at the regulatory level, but inside companies themselves. Especially in jurisdictions where data protection is still finding its footing, like Nigeria, the opportunity is clear: we can take in best practice from the beginning, rather than retrofitting controls under pressure. For too long, compliance has been viewed through a narrow lens — a set of tick-boxes, policies on shelves, training sessions once a year. That’s not data protection. That’s insurance.
Real data protection is cultural. It’s about design decisions. It’s about language — what we say to our customers, what we show on screen, what permissions we ask for, and how often we revisit our assumptions. It’s about knowing that just because the law allows something doesn’t mean we should do it. And all of this becomes possible when DPOs are part of the discussion from day one.
In truth, the companies that are getting this right are the ones that treat data protection as a competitive advantage, not a burden. They are the ones inviting their privacy teams into brainstorming sessions, scoping documents, wireframes, and strategy decks. They understand that trust is earned over time and lost in seconds. They know that their brand lives or dies by how well they handle their customers’ information.
This is not a call for DPOs to slow things down. It’s quite the opposite. It’s a call to bring in the voices who will help projects move faster by getting the details right early. When the ICO invites input, they’re creating a model of collaborative governance. And companies should do the same. Build your own sandbox. Test your assumptions. Invite challenge. It will cost less. It will protect more. And it will reflect well when regulators inevitably come calling.
In Nigeria, where the NDPA 2023 has laid the foundation for stronger data rights, this is an opportunity. Regulators can follow the ICO’s lead by opening structured avenues for DPO input. But the private sector mustn’t wait to be told. Banks, fintech firms, telecoms, edtech start-ups — they all handle enormous volumes of personal data. They must treat their DPOs not as watchdogs but as partners in delivery.
If privacy professionals are left out of the room, organisations will continue to stumble into crises they could have easily avoided. But if they are given a seat at the table — and a voice worth hearing — the result is something rare in today’s tech landscape: confidence. Not only that the right thing is being done, but that it’s being done deliberately, responsibly, and with foresight.
That’s what data protection is for. Not to slow the future down — but to help us build it better.
business a.m. commits to publishing a diversity of views, opinions and comments. It, therefore, welcomes your reaction to this and any of our articles via email: comment@businessamlive.com